Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2014 Splunk Inc. Building An Analytics-Enabled Security Operations Ctr (SOC) Mike Munn Splunk Engineering Manager.

Similar presentations

Presentation on theme: "Copyright © 2014 Splunk Inc. Building An Analytics-Enabled Security Operations Ctr (SOC) Mike Munn Splunk Engineering Manager."— Presentation transcript:

1 Copyright © 2014 Splunk Inc. Building An Analytics-Enabled Security Operations Ctr (SOC) Mike Munn Splunk Engineering Manager

2 Who Can Benefit From This PPT? Primary: Secondary: 2 Wants to Build a SOC Wants to Enhance Existing SOC Performs SOC-Like Functions

3 What is a Security Operations Center (SOC)? 3 PRIMARY GOAL: Reduce risk via improved security SECONDARY GOALS: Compliance, anti-DDOS attack, fraud detection Centralized location(s) where key IT systems of an organization are monitored, assessed and defended from cyber attacks. Security Operations Center

4 Before Building SOC Need to Understand: 4 Significant upfront and ongoing investment of money and time Prerequisite is a certain security maturity level Structure will vary for each organization Important to prioritize and phase the build-out Executive-level and business unit support required

5 Three Interrelated Components of a SOC 5 Process PeopleTechnology

6 Process

7 Threat Modeling & Playbooks 7 Intellectual property or customer data loss, compliance, etc. Prioritize based on impact 1 What threats does the organization care about? How it would access and exfiltrate confidential data 2 What would the threat look like? Requires machine data and external context Searches or visualizations that would detect it (correlated events, anomaly detection, deviations from a baseline, risk scoring) 3 How would we detect/block the threat? Severity, response process, roles and responsibilities, how to document, how to remediate, when to escalate or close, etc. 4 What is the playbook/process for each type of threat?

8 Simplified SOC Tiers TIER 1 Monitoring Opens tickets, closes false positives Basic investigation and mitigation TIER 2 Deep investigations/CSIRT Mitigation/recommends changes TIER 3+ Advanced investigations/CSIRT Prevention Threat hunting Forensics Counter-intelligence Malware reverser 8 (MINIMIZE INCIDENTS REACHING THEM) ALERTS FROM: Security Intelligence Platform Help Desk Other IT Depts.

9 One vs. Multiple Locations Morning Afternoon Midnight West Coast East Coast APAC One LocationMultiple Locations 9 Morning Midnight Afternoon

10 Shift Rotations – One Location SHIFT 1 TIER 1 TIER 2 TIER 3 TIER 1 TIER 2 TIER 1 10 SHIFT 2 SHIFT 3 7 AM — 5 PM 3 PM — 1 AM 11 PM — 9 AM Seattle

11 Shift Rotations – Multiple Locations SHIFT 1 TIER 1 TIER 2 TIER 3 TIER 1 TIER 2 TIER 1 11 SHIFT 2 SHIFT 3 9 AM — 5 PM New YorkHong KongSeattle TIER 2

12 Operational Continuity 12 Shift Overlaps Shift Handover Procedures Shift Reports

13 Other Process Items 13 Involve Outside Groups to Assist Business people, IT teams, SMEs Threat modeling, investigations, remediation Incorporate Learnings Into the SOC and Organization Adjust correlation rules or IT configurations, user education, change business processes Automate Processes Security intelligence platform custom UIs to accelerate investigations and alerting, ticketing system

14 Demonstrate SOC Value 14 Metrics on events/tickets, resolution time Show reduced business risk via KPIs Regular communication to execs and rest of org Anecdotes of threats defeated

15 People

16 Types of People 16 Multiple roles with different background, skills, pay levels, personalities SOC Director SOC Manager SOC Architect Tier 1 Analyst Tier 2 Analyst Tier 3 Analyst Forensics Specialist Malware Engineer Counter- Intel On-the-job training and mentoring, and external training & certifications Need motivation via promotion path and challenging work Operating hours and SOC scope play key role in driving headcount

17 17 Different Skillsets Needed Role/TitleDesired Skills Tier 1 AnalystFew years in security, basic knowledge of systems and networking Tier 2 AnalystFormer Tier 1 experience, deeper knowledge of security tools, strong networking / system / application experience, packet analysis, incident response tools Tier 3 AnalystAll the above + can adjust the security intelligence platform, knows reverse engineering/threat intelligence/forensics SOC DirectorHiring and staffing, interfacing with execs to show value and get resources, establishing metrics and KPIs SOC ArchitectExperience designing large scale security operations, security tools and processes

18 Technology

19 Monitoring, Correlations, Alerts Ad Hoc Search & Investigate Custom Dashboards And Reports Analytics And Visualization Developer Platform Meets Key Needs of SOC Personnel Need Security Intelligence Platform (SIEM + more!) 19 Real-time Machine Data Cloud Apps Servers Email Web Network Flows DHCP/ DNS Custom Apps Badges Intrusion Detection Firewall Data Loss Prevention Anti-Malware Vulnerability Scans Authentication Storage Industrial Control Mobile Security Intelligence Platform Threat Feeds Asset Info Employee Info Data Stores Applications External Lookups / Enrichment


21 Flexibility & Performance to Meet SOC Needs SIEM Security Intelligence Platform Data Sources to IndexLimitedAny technology, device Add Intelligence & ContextDifficultEasy Speed & ScalabilitySlow and limited scaleFast and horizontal scale Search, Reporting, AnalyticsDifficult and rigidEasy and flexible Anomaly/Outlier Detection and Risk Scoring LimitedFlexible Open PlatformClosedOpen with API and SDKs 21

22 Connect the “Data-Dots” to See the Whole Story Persist, Repeat 22 Delivery, Exploit Installation Gain Trusted Access Exfiltration Data Gathering Upgrade (Escalate) Lateral Movement Persist, Repeat Threat Pattern Threat Intelligence Attacker, know C2 sites, infected sites, IOC, attack/campaign intent and attribution External threat intel Internal threat intel Indicators of compromise Network Activity/Security Where they went to, who talked to whom, attack transmitted, abnormal traffic, malware download Malware sandbox Web proxy NetFlow Firewall IDS / IPS Vulnerability scanner Endpoint Activity/Security What process is running (malicious, abnormal, etc.) Process owner, registry mods, attack/malware artifacts, patching level, attack susceptibility DHCP DNS Patch mgmt Endpoint (AV/IPS/FW) ETDR OS logs Authorization – User/Roles Access level, privileged users, likelihood of infection, where they might be in kill chain Active Directory LDAP CMDB Operating System Database VPN, AAA, SSO

23 Other SOC Technologies Advanced Incident Response Tools 23 Packet Capture Disk Forensics Reverse Malware Tools Ticketing/Case Management System

24 Splunk Enterprise A Security Intelligence Platform

25 Reactive Search and Investigate Proactive Monitoring and Alerting Security Situational Awareness Proactive Real-Time Risk Insight Splunk Gives Path to SOC Maturity Technology that enhances all your SOC personnel and processes

26 Splunk Can Complement an Existing SIEM Scenario 1Scenario 2Scenario 3 INTEGRATION NoneSplunk feeds SIEMSIEM feeds Splunk LOGGING & SIEMSIEM INVESTIGATIONS / FORENSICS CORRELATIONS / ALERTING / REPORTING SIEM COMPLIANCE SIEM NOTES May have different data sources going to Splunk vs SIEM Splunk typically sends just subset of its raw data to SIEM Initially, SIEM connectors are on too many hosts to be replaced 26

27 Splunk App for Enterprise Security Pre-built searches, alerts, reports, dashboards, workflow Incident Investigations & Management Dashboards and Reports Statistical Outliers Asset and Identity Aware 27

28 Key Takeaways SOC requires investment in people, process and technology Splunk Enterprise is a security intelligence platform that can power your SOC Splunk software makes your SOC personnel and processes more efficient 28

29 Next Steps Splunk Security Advisory Services –Help assess, build, implement, optimize a SOC –Includes people, process, and technology –Can include how to use Splunk within the SOC Evaluate Splunk Enterprise and the Splunk App for Enterprise Security 29

30 Q&A

31 Thank You!

32 Appendix

33 Ticketing Best Practices Plan Your Queues Think of Automating Escalations Attack/Incident Reports Are Your Receipt 33

34 MSSP Model PROS CONS Around the Clock Higher Visibility of the Threat Landscape Dedicated Specialties Lacks Agility Actionable Alerting Does not know your infrastructure 34

35 Whiteboard: Splunk SOC/ES Architecture 35 Points: Build from previous architecture Layer in ES components Cover ES Search Head – Function – Sizing Cover TAs – Function – Benefits Offload Search load to Splunk Search Heads Auto load-balanced forwarding to Splunk Indexers Send data from thousands of servers using any combination of Splunk forwarders

36 Merge the Entity And Adversary Models Entity Controls SSCMChef Audit TripwireAD Monitor GraphingIntel Exposure NmapNessus High Tripwire Chef AD Medium Scans Intel Low Nessus Graphing High Tripwire Proxy Email Medium DNS Red Team Low IDS/IPS Outbound Recon NmapOSINT Delivery ProxyEmail Exploitation TripwireIDS/IPS C2 DNS Outbound Mon Intent Red Team 36

37 Example: Connecting the “data-dots” Machine data Traffic data Abnormal behavior High confidence event Med confidence event Low confidence event Malware download Program installation Blacklisted IP Malware install Blacklisted IP Malware and endpoint execution data User on machine, link to program and process Sessions across different access points (web, remote control, tunneled) Continued sessions during abnormal hours, periodicity, patterns, etc. Delivery, Exploit Installation Gain Trusted Access Exfiltration Data Gathering Upgrade (Escalate) Lateral movement Threat Intelligence Auth - User Roles Host Activity/Security Network Activity/Security 37

38 Sample Job Description – Tier 2/3/CSIRT

39 Sample Job Description – Tier 1 SOC

Download ppt "Copyright © 2014 Splunk Inc. Building An Analytics-Enabled Security Operations Ctr (SOC) Mike Munn Splunk Engineering Manager."

Similar presentations

Ads by Google